Security impact of traditional SLAAC addresses on IPv6 addressing

Editor's note: IPv6 automatic address configuration is increasingly concerned with the security and confidentiality of IPv6 addressing. The automatically configured IPv6 addresses have three security meanings: they narrow down the search scope for an attacker to initiate an address Scan attack, they can be associated with node activity of a network, and they can more easily track hosts. Fernando Gont, a security engineer and consultant, introduced some methods to combat these problems and considered that more work was required.

IPv6 introduces two different Address Configuration mechanisms: Automatic Stateless Address Configuration (SLAAC) and Dynamic Host Configuration Protocol (DHCPv6) of stateful 6th ). In DHCPv6, addresses are centrally managed by a DHCPv6 server. Therefore, the DHCPv6 server can apply many Address allocation policies (such as continuous addresses and random addresses ). SLAAC is a centralized Address Allocation Method. Each node can automatically configure IPv6 addressing based on local policies.

In SLAAC, the specific policies applied depend on the underlying link layer technology. On Ethernet, the IETF standard specifies that an IPv6 address consists of an automatically configured prefix and an interface ID (IID) embedded in the underlying link address. Specifically, the IID step is generated as follows:

1. Obtain the ethernet address of the underlying network interface.
2. Reverse the U/L bits of the IEEE organization unique identifier (OUI) of the Ethernet address.
3. The value 0 xfffe is inserted between the three high and the three low Ethernet addresses.

Then, the obtained 64-bit address is used to generate an IPv6 address.

After creating an IID, they share three attributes. First, IID (at least theoretically) must be globally unique because their source Ethernet addresses are usually unique. Second, they follow a certain pattern, which also comes from the underlying ethernet address. For example, devices manufactured by the same supplier have the same IID height of 5 bits: they correspond to ieee oui, and the other two bytes store 0 xfffe. Third, they remain unchanged in one or more networks unless the underlying ethernet address is manually modified or the underlying network interface card (NIC) is replaced ).

Problems caused by traditional SLAAC addresses

Generating an IID from the underlying ethernet address is a good way to generate a globally unique ID. This method can also avoid repeated IPv6 addresses in the network. However, the security community quickly discovered that this method would negatively affect security and confidentiality. In addition, this method also reduces the search scope for attacks that execute IPv6 address scanning attacks. It also allows attackers to associate node activity between multiple networks in a specific network.

This article describes the impact of traditional SLAAC addresses on confidentiality, especially host activity Associations (host tracking) between multiple networks in the same network ).

As mentioned earlier, embedding the MAC address of the underlying NIC In the IPv6 address IID will keep the address unchanged (unless the NIC is changed ). As a result, it becomes a means for attackers to track node activity in the network. For example, assume that there is a network with a connection prefix of 2001: db8: 1:/64, and then the Address 2001: db8: 1: a00: 27ff: fe89: 7878 is automatically obtained. If the node is disconnected from the network and then re-connected to the network, it will automatically obtain the same address (similarly, assuming that the underlying NIC is not changed ). Therefore, attackers may connect the same node to all network activities related to IPv6 Address 2001: db8: 1: a00: 27ff: fe89: 7878. This is usually called the Association of node activities in a network.

Use "Super Cookie" for host tracking

Slaac iid will not only remain unchanged in one network, but also in multiple networks. This is because they only rely on the MAC address of the underlying NIC (this address will not change ). Because these interface IDs are generally globally unique (because the underlying MAC address is usually globally unique), you can easily associate nodes in various networks. For example, assume that a node connects to a network with a prefix of 2001: db8: 1:/64, and then automatically obtains the Address 2001: db8: 1: a00: 27ff: fe89: 7878. The node is first disconnected from the network, and then connected to a network prefixed with 2001: db8: 2:/64. Then, the node automatically obtains the Address 2001: db8: 2: a00: 27ff: fe89: 7878. The globally unique and unchanged api id a00: 27ff: fe89: 7878 is clearly the identifier of a node, which can associate activities of nodes in multiple networks. This is usually called host tracking.